Elf/BakSo.SX!tr
Analysis
ELF/BakSo.SX!tr is a generic detection for a trojan. Since this is a generic detection, malware that are detected as ELF/BakSo.SX!tr may have varying behaviour.
Below are some of its observed characteristics/behaviours:
- This malware is related to the PSIRT Advisory - FG-IR-22-398. It involves a heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN that may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests.
- The malware has been associated with the following advisory.
https://www.fortiguard.com/psirt/FG-IR-22-398
- Md5: 856341349dd954d82b112ba9165c4563
Sha256: 23f2536aec6a4977a504312ff5863468ba2900fece735acd775d0ae455b4cd4d - Md5: 3191cb2e06e9a30792309813793f78b6
Sha256: 0184e3d3dd8f4778d192d07e2caf44211141a570d45bb47a87894c68ebebeabb - Md5: bdc2d2f5d5246f8956711bcce9f456b6
Sha256: 30b2fa0eabc0b1772e8b6deac9a9d4cea58109e865bd0231aea759dc0cf3f35a - Md5: ae0839351721db5a9c269fd75dcb57ce
Sha256: f331d382a8afb10cfb95354541ac6502cf020df7cb3c1be6ec787c8868b69818 - Md5: e5d989b651b3eb351e10e408d5a062b3
Sha256: 2c56db88ce96fec0bdbac9184bae5336cb45e071b74a646505c3a80acdc1dcc5
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
FortiClient | |
FortiAPS | |
FortiAPU | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |